<!DOCTYPE html>
<html lang=zh>
<head>
    <!-- so meta -->
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="HandheldFriendly" content="True">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
    <meta name="description" content="加密文章，仅自用">
<meta property="og:type" content="article">
<meta property="og:title" content="[应急响应]浅谈应急响应方法论">
<meta property="og:url" content="https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/index.html">
<meta property="og:site_name" content="TonyD0g">
<meta property="og:description" content="加密文章，仅自用">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc00.png">
<meta property="og:image" content="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc01.png">
<meta property="og:image" content="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc02.png">
<meta property="og:image" content="https://s1.ax1x.com/2023/01/02/pSPKHuF.png">
<meta property="article:published_time" content="2022-09-25T07:33:24.000Z">
<meta property="article:modified_time" content="2023-08-16T06:01:06.821Z">
<meta property="article:author" content="TonyD0g">
<meta property="article:tag" content="应急响应">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc00.png">
    
    
        
          
              <link rel="shortcut icon" href="/images/favicon.ico">
          
        
        
          
            <link rel="icon" type="image/png" href="/images/favicon-192x192.png" sizes="192x192">
          
        
        
          
            <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon.png">
          
        
    
    <!-- title -->
    <title>[应急响应]浅谈应急响应方法论</title>
    <!-- styles -->
    
<link rel="stylesheet" href="/css/style.css">

    <!-- persian styles -->
    
      
<link rel="stylesheet" href="/css/rtl.css">

    
    <!-- rss -->
    
    
<meta name="generator" content="Hexo 4.2.1"></head>

<body class="max-width mx-auto px3 ltr">
    
      <div id="header-post">
  <a id="menu-icon" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="menu-icon-tablet" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="top-icon-tablet" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');" style="display:none;"><i class="fas fa-chevron-up fa-lg"></i></a>
  <span id="menu">
    <span id="nav">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </span>
    <br/>
    <span id="actions">
      <ul>
        
        <li><a class="icon" href="/2022/12/24/%E7%94%9F%E6%B4%BB%E6%97%A5%E8%AE%B02022%E5%B9%B4%E7%BB%88%E6%80%BB%E7%BB%93/"><i class="fas fa-chevron-left" aria-hidden="true" onmouseover="$('#i-prev').toggle();" onmouseout="$('#i-prev').toggle();"></i></a></li>
        
        
        <li><a class="icon" href="/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/"><i class="fas fa-chevron-right" aria-hidden="true" onmouseover="$('#i-next').toggle();" onmouseout="$('#i-next').toggle();"></i></a></li>
        
        <li><a class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up" aria-hidden="true" onmouseover="$('#i-top').toggle();" onmouseout="$('#i-top').toggle();"></i></a></li>
        <li><a class="icon" href="#"><i class="fas fa-share-alt" aria-hidden="true" onmouseover="$('#i-share').toggle();" onmouseout="$('#i-share').toggle();" onclick="$('#share').toggle();return false;"></i></a></li>
      </ul>
      <span id="i-prev" class="info" style="display:none;">上一篇</span>
      <span id="i-next" class="info" style="display:none;">下一篇</span>
      <span id="i-top" class="info" style="display:none;">返回顶部</span>
      <span id="i-share" class="info" style="display:none;">分享文章</span>
    </span>
    <br/>
    <div id="share" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/" target="_blank" rel="noopener"><i class="fab fa-facebook " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&text=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-twitter " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-linkedin " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&is_video=false&description=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-pinterest " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[应急响应]浅谈应急响应方法论&body=Check out this article: https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/"><i class="fas fa-envelope " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-get-pocket " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-reddit " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-stumbleupon " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-digg " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&name=[应急响应]浅谈应急响应方法论&description=&lt;p&gt;加密文章，仅自用&lt;/p&gt;" target="_blank" rel="noopener"><i class="fab fa-tumblr " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&t=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-hacker-news " aria-hidden="true"></i></a></li>
</ul>

    </div>
    <div id="toc">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#应急总结"><span class="toc-number">1.</span> <span class="toc-text">应急总结</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#整体分析流程"><span class="toc-number">1.0.1.</span> <span class="toc-text">整体分析流程</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#渗透反辅"><span class="toc-number">2.</span> <span class="toc-text">渗透反辅</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#溯源与反制"><span class="toc-number">3.</span> <span class="toc-text">溯源与反制</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#FAQ"><span class="toc-number">4.</span> <span class="toc-text">FAQ</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#应急响应工具集"><span class="toc-number">5.</span> <span class="toc-text">应急响应工具集</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#学习来源"><span class="toc-number">6.</span> <span class="toc-text">学习来源</span></a></li></ol>
    </div>
  </span>
</div>

    
    <div class="content index py4">
        
        <article class="post" itemscope itemtype="http://schema.org/BlogPosting">
  <header>
    
    <h1 class="posttitle" itemprop="name headline">
        [应急响应]浅谈应急响应方法论
    </h1>



    <div class="meta">
      <span class="author" itemprop="author" itemscope itemtype="http://schema.org/Person">
        <span itemprop="name">TonyD0g</span>
      </span>
      
    <div class="postdate">
      
        <time datetime="2022-09-25T07:33:24.000Z" itemprop="datePublished">2022-09-25</time>
        
        (Updated: <time datetime="2023-08-16T06:01:06.821Z" itemprop="dateModified">2023-08-16</time>)
        
      
    </div>


      

      
    <div class="article-tag">
        <i class="fas fa-tag"></i>
        <a class="tag-link" href="/tags/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/" rel="tag">应急响应</a>
    </div>


    </div>
  </header>
  

  <div class="content" itemprop="articleBody">
    <p>加密文章，仅自用</p>
<a id="more"></a>

<h1 id="应急总结"><a href="#应急总结" class="headerlink" title="应急总结"></a><strong>应急总结</strong></h1><ol>
<li>核心思路是“顺藤摸瓜”</li>
<li>碎片信息的关联分析</li>
<li>时间范围的界定以及关键操作时间点串联</li>
<li>Web入侵类，shell定位很重要</li>
<li>假设与求证</li>
<li>攻击画像与路线确认</li>
</ol>
<h3 id="整体分析流程"><a href="#整体分析流程" class="headerlink" title="整体分析流程"></a>整体分析流程</h3><p><a href="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc00.png"><img src="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc00.png" alt="img"></a></p>
<p><a href="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc01.png"><img src="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc01.png" alt="img"></a></p>
<p><a href="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc02.png"><img src="https://github.com/theLSA/emergency-response-checklist/raw/master/img/esc02.png" alt="img"></a></p>
<h1 id="渗透反辅"><a href="#渗透反辅" class="headerlink" title="渗透反辅"></a><strong>渗透反辅</strong></h1><ol>
<li><p>密码读取</p>
<p>a) Windows: Mimikatz</p>
<p>b) Linux: mimipenguin</p>
</li>
<li><p>帐号信息</p>
<p>a) 操作系统帐号</p>
<p>b) 数据库帐号</p>
<p>c) 应用帐号信息</p>
</li>
<li><p>敏感信息</p>
<p>a) 配置信息</p>
<p>b) 数据库信息</p>
<p>c) 服务端口信息</p>
<p>d) 指纹信息</p>
</li>
<li><p>滚雪球式线性拓展</p>
<p>a) 密码口令类拓展（远控）</p>
<p>b) 典型漏洞批量利用</p>
</li>
<li><p>常见的入侵方式Getshell方法</p>
<p>a) WEB入侵</p>
<p>​    i. 典型漏洞：注入Getshell , 上传Getshell，命令执行Getshell，文件包含Getshell，代码执行Getshell，编辑器getshell，后台管理Getshell，数据库操作Getshell</p>
<p>​    ii. 容器相关：Tomcat、Axis2、WebLogic等中间件弱口令上传war包等，Websphere、weblogic、jboss反序列化，Struts2代码执行漏洞，Spring命令执行漏洞</p>
<p>b) 系统入侵</p>
<p>​    i. SSH 破解后登录操作</p>
<p>​    ii. RDP 破解后登录操作</p>
<p>​    iii. MSSQL破解后远控操作</p>
<p>​    iv. SMB远程命令执行（MS08-067、MS17-010、CVE-2017-7494）</p>
<p>c) 典型应用</p>
<p>​    i. Mail暴力破解后信息挖掘及漏洞利用</p>
<p>​    ii. VPN暴力破解后绕过边界</p>
<p>​    iii. Redis 未授权访问或弱口令可导ssh公钥或命令执行</p>
<p>​    iv. Rsync 未授权访问类</p>
<p>​    v. Mongodb未授权访问类</p>
<p>​    vi. Elasticsearch命令执行漏洞</p>
<p>​    vii. Memcache未授权访问漏洞</p>
<p>​    viii. 服务相关口令（mysql ldap zebra squid vnc smb）</p>
</li>
</ol>
<h1 id="溯源与反制"><a href="#溯源与反制" class="headerlink" title="溯源与反制"></a>溯源与反制</h1><p><strong>溯源部分:</strong></p>
<p><strong>1.溯源大纲</strong></p>
<p><img src="https://s1.ax1x.com/2023/01/02/pSPKHuF.png" alt="img"></p>
<p><strong>2.溯源总结</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line">1.1. IP溯源</span><br><span class="line">a. </span><br><span class="line">寻找IP是否有域名解析，历史域名解析信息。</span><br><span class="line"></span><br><span class="line">b. </span><br><span class="line">通过IP反查接口，反查IP上的域名信息</span><br><span class="line"></span><br><span class="line">c.</span><br><span class="line">通过端口漏洞去进行渗透（自己之前有一个案例就是通过smb的会话枚举，枚举到用户id最终一套溯源溯到目标攻击人员）</span><br><span class="line"></span><br><span class="line">1.2. 域名溯源</span><br><span class="line"></span><br><span class="line">a. </span><br><span class="line">域名威胁情报（历史whois信息、解析的IP信息、历史IP解析信息）</span><br><span class="line"></span><br><span class="line">b. </span><br><span class="line">域名whois信息（获取到注册人、注册邮箱，这里去看2.3. 邮箱溯源）</span><br><span class="line"></span><br><span class="line">c. </span><br><span class="line">web渗透（通过漏洞、审计0day等思路反打服务器）</span><br><span class="line"></span><br><span class="line">1.3. 邮件溯源</span><br><span class="line">a. </span><br><span class="line">邮件导出为eml格式，提取发件人IP（获取到IP后，去看 IP溯源思路）</span><br><span class="line"></span><br><span class="line">b. </span><br><span class="line">获取到执行程序、文档（这里去看 木马溯源）</span><br><span class="line"></span><br><span class="line">1.4. 木马溯源</span><br><span class="line">a. </span><br><span class="line">提取C2域名、及一些木马信息</span><br><span class="line"></span><br><span class="line">b. </span><br><span class="line">这里不一定是执行程序，可能是文档，放入虚拟机通过wireshark抓取流量抓取外联IP（获取到IP后，去看 IP溯源思路）。</span><br><span class="line"></span><br><span class="line">c. </span><br><span class="line">对木马进行逆向，看木马是否包含红队物理路径信息，物理路径是否携带用户名ID</span><br><span class="line"></span><br><span class="line">1.5. 蜜罐溯源</span><br><span class="line">a.</span><br><span class="line">有条件每个段搭建几个，把真实业务网站1比1复刻做钓鱼页面。</span><br></pre></td></tr></table></figure>

<p><strong>不同信息的溯源思路</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line">2.1. ID溯源</span><br><span class="line">github、csdn、博客园、i春秋、freebuf、t00ls、贴吧、微博、抖音、快手、百度贴吧等</span><br><span class="line">朋友圈溯源（多加几个群，总会用得上）</span><br><span class="line">好友溯源</span><br><span class="line"></span><br><span class="line">2.2. 域名溯源</span><br><span class="line">whois反查</span><br><span class="line">whois隐私保护反查思路（域名历史IP解析）</span><br><span class="line">搜索引擎</span><br><span class="line"></span><br><span class="line">2.3. 邮箱溯源</span><br><span class="line">邮箱注册域名</span><br><span class="line">邮箱前缀可能是ID、手机号、QQ等信息</span><br><span class="line">爱企查、天眼查、企查查反查公司</span><br><span class="line">reg007.com查邮箱注册过的网站，通过各个平台找回密码找信息</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">2.4. 手机号溯源</span><br><span class="line">查脉脉、领英，得到毕业院校、工作经历</span><br><span class="line">查微博、知乎、github等社交账号</span><br><span class="line">微信、支付宝转账，得到部分真实姓名</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">2.5. QQ溯源</span><br><span class="line">添加好友看QQ名片信息</span><br><span class="line">QQ邮箱支付宝转账</span><br><span class="line">搜索引擎搜索QQ以及QQ邮箱</span><br><span class="line">QQ邮箱历史注册信息</span><br><span class="line"></span><br><span class="line">2.6 wx溯源</span><br><span class="line"></span><br><span class="line">企业微信溯源-证实可用</span><br><span class="line"></span><br><span class="line">亲测有效。</span><br><span class="line"></span><br><span class="line">因某些原因，视频已做处理。</span><br><span class="line"></span><br><span class="line">具体操作方法：</span><br><span class="line"></span><br><span class="line">利用前提条件：用户已经过实名认证</span><br><span class="line"></span><br><span class="line"><span class="bullet">1. </span>添加客户-&gt;搜索手机号码添加-&gt;输入ID/手机号码（重复输入两次手机号码）-&gt;查看-&gt;点击“实名”</span><br><span class="line"></span><br><span class="line">2.添加客户-&gt;搜索手机号码添加-&gt;输入ID/手机号码-&gt;设置备注和描述-&gt;投诉-&gt;发布不适当内容对我造成骚扰-&gt;违法犯罪及违禁品-&gt;提交给企业微信团队审核-&gt;点击聊天记录 即可查看到完整姓名及所属组织</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">2.6. 姓名溯源</span><br><span class="line">缩小范围溯源效果最佳如：姓名 + ID、姓名 + 邮箱、姓名 + 省份/地点、姓名 + 手机号、姓名 + QQ、姓名 + 微信</span><br><span class="line"></span><br><span class="line">搜索引擎</span><br><span class="line"></span><br><span class="line">2.7. 社工库</span><br><span class="line">查询姓名</span><br><span class="line">查询手机号</span><br><span class="line">查询邮箱</span><br><span class="line">查询QQ</span><br></pre></td></tr></table></figure>

<p><strong>3.钓鱼佬永不空军</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">1.</span><br><span class="line">专门拿几台windows 10机器放上工具，放上资料，放上信息，搭建渗透环境渗透工具包，正常使用。正常写蓝队每日防守日报，统计资产数据的excel，这类文档捆绑上木马，资产数据放的是一开始1比1伪造的蜜罐资产。不中马就让对方中蜜罐。蓝队每日防守日报诱导性透露信息。</span><br><span class="line"></span><br><span class="line">PS：此处把红队木马专门放到机器上运行，等红队上钩。如果木马免杀效果不佳就把杀软关了，或者放一些被免杀了的杀软。</span><br><span class="line"></span><br><span class="line">2.(慎重操作)</span><br><span class="line">真实资产服务器同主动上钩（1），放木马文档、放蜜罐数据、钓出口IP等等。</span><br><span class="line"></span><br><span class="line">3.</span><br><span class="line">构造钓鱼网站、问卷钓鱼、程序钓鱼。这类钓鱼不需要做木马什么的，任意被杀，我们只需要获取出口IP，上门干红队。</span><br><span class="line"></span><br><span class="line">4.信息收集</span><br><span class="line">收集攻击者信息:习惯、背景、性格、爱好、家乡、单位、所在地、出生年月日等信息。进行组合社工利用</span><br></pre></td></tr></table></figure>



<hr>
<p><strong>反制部分:</strong></p>
<p><strong>1.腾讯云webshell反制</strong></p>
<p><strong>利用：</strong></p>
<p><a href="https://mp.weixin.qq.com/s?__biz=MzU1NjgzOTAyMg==&mid=2247494920&idx=1&sn=b472e4c6fff20cad8dde6d7ce5b2ab11&scene=21#wechat_redirect" target="_blank" rel="noopener">【防溯源】利用腾讯云来隐藏连接Webshell的真实IP</a></p>
<p><strong>反制：</strong></p>
<ul>
<li>判断流量特征<ul>
<li>如果是stage,会有一个payload下载阶段,大小约为210kb,payload未解密之前间隔有大批量重复字符串(cs本身特征)</li>
<li>未经魔改的云函数配置在stage下载阶段访问/bootstrap-2.min.js (配置文件特征),同时返回包有很大一串加密数据,且路径的ascii之和与256取余计算值等于92(cs本身特征)</li>
<li>未经魔改的云函数会访问/api/getit这样类似api的模式,可以重点关注(配置文件特征)</li>
<li>云函数的host是<code>service-173y3w0z-xxxxxxxxxx.sh.apigw.tencentcs.com</code>这样的格式,有点类似域前置,host为白域名,可以着重注意host为<code>apigw.tencentcs.com</code>格式的流量,如果业务部门没有这样的业务,特殊时期,可以直接封禁这个域名<code>apigw.tencentcs.com</code>(云函数特征)</li>
<li>请求头中会有云函数的特有特征,如<ul>
<li><code>X-Request-Id:</code> 请求的id<br><code>X-Api-FuncName:</code> 函数名<br><code>X-Api-AppId:</code>对应账号但不是账号<br><code>X-Api-ServiceId:</code>服务id<br><code>X-Api-HttpHost:</code> 就是把appid 账号id 还有腾讯云函数的域名放一起<br><code>X-Api-Status:</code> 200 返回值<br><code>X-Api-UpstreamStatus:</code> 200  返回值</li>
</ul>
</li>
<li>抓包看流量,通信的IP是腾讯云的CDN服务器IP</li>
</ul>
</li>
<li>反制手段<ul>
<li>批量上线钓鱼马<ul>
<li>从cs客户端可以看出,上线后的ip过一会就会自动变一次(云函数特性),一次性上线大量ip会让红队直接无法分辨(直接放同一个虚拟机都行,因为每次云函数的特性,所以每个心跳包都是一个新的请求,都会分配一个新ip)</li>
</ul>
</li>
<li>消耗云函数额度<ul>
<li>云函数隐藏C2 和 cdn很像,都有同一个弱点,就是访问是需要计费的,所以可以使用脚本把红队的额度跑掉就好,这样红队的所有马都无法上线<ul>
<li>工具 <a href="https://github.com/a1phaboy/MenoyGone">https://github.com/a1phaboy/MenoyGone</a></li>
</ul>
</li>
</ul>
</li>
<li>虚假上线<ul>
<li>重放心跳包进行上线,但是红队无法执行任何命令</li>
</ul>
</li>
<li>截图举报<ul>
<li>收集好证据,主要是 host名 X-Api-FuncName  X-Api-AppId 这些带有明显云函数的特征的证据,(X-Api-AppId这个很重要)说明该人正在使用云函数对我司进行恶意攻击,请求对其暂时封禁.</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>来源：</p>
<p><a href="https://xz.aliyun.com/t/11625#toc-9" target="_blank" rel="noopener">对云函数隐藏C2技术的防御反制思路</a></p>
<h1 id="FAQ"><a href="#FAQ" class="headerlink" title="FAQ"></a><strong>FAQ</strong></h1><ol>
<li><p><strong>应急需求有哪些分类：</strong></p>
<p>a) 被谁入侵了？ 关联 攻击IP 攻击者信息</p>
<p>b) 怎么入侵的？ 关联 入侵时间轴、漏洞信息</p>
<p>c) 为什么被入侵？ 关联 行业特性、数据信息、漏洞信息</p>
<p>d) 数据是否被窃取？ 关联 日志审计</p>
<p>e) 怎么办？ 关联 隔离、排查分析、删马（解密）、加固、新运营</p>
</li>
</ol>
<ol start="2">
<li><strong>在linux日志中，有无黑客入侵后的操作命令的统计</strong></li>
</ol>
<p>   a) 可以根据history信息进行溯源分析，但一般可能会被清除</p>
<p>   b) 还有方法是需要结合accton 和 lastcomm</p>
<ol start="3">
<li><p><strong>关于业务逻辑的排查方法说明</strong></p>
<p>新型业务安全中安全事件，例如撞库、薅羊毛、支付、逻辑校验等敏感环节，未在本文体现，所以后续有必要针对业务侧的应急排查方法归纳。</p>
</li>
</ol>
<h1 id="应急响应工具集"><a href="#应急响应工具集" class="headerlink" title="应急响应工具集"></a>应急响应工具集</h1><p>[Windows] 火麒麟：                <a href="https://github.com/MountCloud/FireKylin">https://github.com/MountCloud/FireKylin</a></p>
<p>Autopsy:                <a href="http://www.sleuthkit.org/autopsy/" target="_blank" rel="noopener">http://www.sleuthkit.org/autopsy/</a></p>
<p>Linux_Exploit_Suggester <a href="https://github.com/PenturaLabs/Linux_Exploit_Suggester">https://github.com/PenturaLabs/Linux_Exploit_Suggester</a></p>
<p>应急响应工具包： <a href="https://github.com/theLSA/hack-er-tools">https://github.com/theLSA/hack-er-tools</a></p>
<p>[Linux] GScan: <a href="https://github.com/grayddq/GScan">https://github.com/grayddq/GScan</a></p>
<p>[Linux] LinuxCheck：<a href="https://github.com/al0ne/LinuxCheck">https://github.com/al0ne/LinuxCheck</a></p>
<h1 id="学习来源"><a href="#学习来源" class="headerlink" title="学习来源"></a>学习来源</h1><p><a href="https://xz.aliyun.com/t/1140#toc-0" target="_blank" rel="noopener">黑客入侵应急分析手工排查</a></p>
<p><a href="https://mp.weixin.qq.com/s?__biz=MzkxODM5MzYzNg==&mid=2247485276&idx=1&sn=a9dc8dae50fa5d1c45be49d1c6add532&source=41&key=5e727892ba8c527161427507a0e104fc3aadb6afa32e607d7e59f900b324fed401f2b912656d7af05054043d2abf05f554da26287fb8a72cb146aeb9667aabadc1eac25a25e3e0a8e30cb12635766e8cfe40d6c6f0be850a4672fd30531cbe9743ee66e8c7a978e2ec906c1372ab2a2b3262bd906d69ae8e16af0e731f8b9c37&ascene=14&uin=MTIxNjE2MDE%3D&devicetype=Windows+10+x64&version=63080021&lang=zh_CN&exportkey=n_ChQIAhIQ548e%2FHBCDcxc0n%2BgEUaIyxLyAQIE97dBBAEAAAAAAKW1Dq5wkagAAAAOpnltbLcz9gKNyK89dVj0w0%2Fp9D%2BesTBiyoHKb%2FcaNkPg7SVOnJjOnUung4hyfxxG8Vguc4y1Qc7gqPleRZHbeI2tdXjiRX5Irde%2Fc%2B5fiVxw4fTYY3vkCKOA%2FQKoUsEdLRyheafXOdqSIrRu7cgLlrAEmnkxSBJIccPPeUhuRv0MhKBePy9UFdPp8BkhEO8etYqJdM5aJZlT1keEKD%2ByZChmntiUEiJ47KD7ZgxFalaTqbsJRrsG83b2T33tjiMTwnOf2mAIXCPeiyEgyVniqh4ixbvYQhlWKztb&acctmode=0&pass_ticket=OcOjMgcfdFTCAaktI0yT5tfJbTLeRVLHhF%2Ffii4DAuW%2F99MWezZxiMalkhBUAR89De%2FHdDJYgk9nSbUlb7oSIA%3D%3D&wx_header=1&fontgear=2" target="_blank" rel="noopener">护网中的溯源碎碎念思路</a></p>

  </div>
</article>



        
          <div id="footer-post-container">
  <div id="footer-post">

    <div id="nav-footer" style="display: none">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </div>

    <div id="toc-footer" style="display: none">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#应急总结"><span class="toc-number">1.</span> <span class="toc-text">应急总结</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#整体分析流程"><span class="toc-number">1.0.1.</span> <span class="toc-text">整体分析流程</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#渗透反辅"><span class="toc-number">2.</span> <span class="toc-text">渗透反辅</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#溯源与反制"><span class="toc-number">3.</span> <span class="toc-text">溯源与反制</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#FAQ"><span class="toc-number">4.</span> <span class="toc-text">FAQ</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#应急响应工具集"><span class="toc-number">5.</span> <span class="toc-text">应急响应工具集</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#学习来源"><span class="toc-number">6.</span> <span class="toc-text">学习来源</span></a></li></ol>
    </div>

    <div id="share-footer" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/" target="_blank" rel="noopener"><i class="fab fa-facebook fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&text=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-twitter fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-linkedin fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&is_video=false&description=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-pinterest fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[应急响应]浅谈应急响应方法论&body=Check out this article: https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/"><i class="fas fa-envelope fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-get-pocket fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-reddit fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-stumbleupon fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&title=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-digg fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&name=[应急响应]浅谈应急响应方法论&description=&lt;p&gt;加密文章，仅自用&lt;/p&gt;" target="_blank" rel="noopener"><i class="fab fa-tumblr fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/&t=[应急响应]浅谈应急响应方法论" target="_blank" rel="noopener"><i class="fab fa-hacker-news fa-lg" aria-hidden="true"></i></a></li>
</ul>

    </div>

    <div id="actions-footer">
        <a id="menu" class="icon" href="#" onclick="$('#nav-footer').toggle();return false;"><i class="fas fa-bars fa-lg" aria-hidden="true"></i> 菜单</a>
        <a id="toc" class="icon" href="#" onclick="$('#toc-footer').toggle();return false;"><i class="fas fa-list fa-lg" aria-hidden="true"></i> 目录</a>
        <a id="share" class="icon" href="#" onclick="$('#share-footer').toggle();return false;"><i class="fas fa-share-alt fa-lg" aria-hidden="true"></i> 分享</a>
        <a id="top" style="display:none" class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up fa-lg" aria-hidden="true"></i> 返回顶部</a>
    </div>

  </div>
</div>

        
        <footer id="footer">
  <div class="footer-left">
    Copyright &copy;
    
    
    2016-2023
    TonyD0g
  </div>
  <div class="footer-right">
    <nav>
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </nav>
  </div>
</footer>

    </div>
    <!-- styles -->

<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">


<link rel="stylesheet" href="/lib/justified-gallery/css/justifiedGallery.min.css">


    <!-- jquery -->

<script src="/lib/jquery/jquery.min.js"></script>


<script src="/lib/justified-gallery/js/jquery.justifiedGallery.min.js"></script>

<!-- clipboard -->

  
<script src="/lib/clipboard/clipboard.min.js"></script>

  <script type="text/javascript">
  $(function() {
    // copy-btn HTML
    var btn = "<span class=\"btn-copy tooltipped tooltipped-sw\" aria-label=\"复制到粘贴板!\">";
    btn += '<i class="far fa-clone"></i>';
    btn += '</span>'; 
    // mount it!
    $(".highlight table").before(btn);
    var clip = new ClipboardJS('.btn-copy', {
      text: function(trigger) {
        return Array.from(trigger.nextElementSibling.querySelectorAll('.code')).reduce((str,it)=>str+it.innerText+'\n','')
      }
    });
    clip.on('success', function(e) {
      e.trigger.setAttribute('aria-label', "复制成功!");
      e.clearSelection();
    })
  })
  </script>


<script src="/js/main.js"></script>

<!-- search -->

<!-- Google Analytics -->

    <script type="text/javascript">
        (function(i,s,o,g,r,a,m) {i['GoogleAnalyticsObject']=r;i[r]=i[r]||function() {
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
        ga('create', 'UA-84578611-1', 'auto');
        ga('send', 'pageview');
    </script>

<!-- Baidu Analytics -->

    <script type="text/javascript">
        var _hmt = _hmt || [];
        (function() {
            var hm = document.createElement("script");
            hm.src = "https://hm.baidu.com/hm.js?2e6da3c375c789455b664cea6d4cb29c";
            var s = document.getElementsByTagName("script")[0];
            s.parentNode.insertBefore(hm, s);
        })();
    </script>

<!-- Disqus Comments -->


</body>
</html>
